Researchers create magstripe versions from EMV and contactless cards

Man use smart phone and holding credit card with shopping

Man use smart phone and holding credit card with shopping online. Online payment concept.

Getty Images/iStockphoto

A British security researcher has proven this week that it is still possible in 2020 to create older-generation magnetic stripe (magstripe) cards using details found on modern chip-and-PIN (EMV) and contactless cards, and then use the cloned cards for fraudulent transactions.

In a whitepaper named “It Only Takes A Minute to Clone a Credit Card, Thanks to a 50-Year-Old Problem,” Leigh-Anne Galloway, Head of Commercial Security Research at Cyber R&D Lab, tested modern card technologies from 11 banks from the US, the UK, and the EU.

Galloway discovered that four of the 11 banks still issued EMV cards that could be cloned into a weaker magstripe version that could be abused for fraudulent transactions.



Image: Cyber R&D Lab

Under normal circumstances, this should not be possible. EMV cards were designed to be hard to clone, primarily due to the secure chip included with each one.

However, Galloway’s whitepaper explains in a step-by-step guide on how to take data from an EMV card and create an older-generation magnetic stripe clone.

This technique — of cloning a magstripe version from an EMV card — is not new and has been documented as far back as 2007.

Cloning magstripes from EMV data is, in fact, the way how many carding gangs still operate today.

Crooks use skimmer or shimmer devices to collect data on EMV cards, they create a magstripe clone, and then they use this clone to make fraudulent transactions at Point-of-Sale (POS) systems or withdraw money from ATMs in third-world countries where EMV cards have not been rolled out and magstripe cards are still accepted.

Banking industry still slow to adopt proper security practices

In her whitepaper, Galloway explains why this is still possible.

“First, the commonalities between magstripe and EMV standards for chip inserted and contactless mean that it’s possible to determine valid cardholder information from one technology and use it for another,” Galloway said.

“Secondly, magstripe is still a supported payment technology, likely because the adoption of chip-based cards has been slow in some geographic regions around the world.

“Third, although magstripe is a deprecated technology in many of the countries tested, cloned data is still effective because it is possible to cause the terminal and card to fallback to a magstripe swipe transaction,” the researcher added.

“Finally, card security codes, a critical point of card verification, are not checked at the time of the transaction by all card issuers.”

This last point is the more significant issue. As Galloway pointed out in a conversation on Twitter with this reporter, card security codes (CSC, CVV, or CVC values printed on a card) should be unique per technology and should always be validated.

While banks don’t have full control of what card/payment technologies are supported in other countries, and they’ll still have to support older technologies for legacy purposes, they have the power to verify transactions correctly.

However, as Steven Murdoch, Research Fellow at University College London, also pointed out on Twitter, the reality is that banks still fail to enforce this simple rule, even now, in 2020.

Transactions are still approved with the wrong security code, from another card technology, and even without it. By not properly verifying security codes, this leaves the door open for carding gangs to continue to operate by copying and downgrading the newer EMV cards into magstripe clones to abuse overseas, in countries where magstripe cards are still accepted.

Galloway said that while the whitepaper focused on EMV cards, contactless (NFC-based) cards can also be abused in the same way to create magstripe clones to be abused for fraudulent transactions.

About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin54,982 0.31 % 1.25 % 8.49 %
Ethereum4,146.5 0.70 % 2.07 % 6.53 %
Binance Coin594.36 0.50 % 1.39 % 1.84 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana192.12 1.48 % 0.50 % 12.00 %
Cardano1.510 1.89 % 2.05 % 21.55 %
XRP0.9325 0.74 % 0.76 % 15.25 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
Dogecoin0.2215 0.68 % 1.42 % 7.23 %

Bitcoin (BTC) $ 54,791.00
Ethereum (ETH) $ 4,118.29
Binance Coin (BNB) $ 590.95
Tether (USDT) $ 1.00
Solana (SOL) $ 189.81
Cardano (ADA) $ 1.49
XRP (XRP) $ 0.926723
USD Coin (USDC) $ 1.00
Polkadot (DOT) $ 33.69
Dogecoin (DOGE) $ 0.199349